From: Mimi Zohar <zohar@kernel.org>
To: Lachlan Sneff <t-josne@linux.microsoft.com>,
pvorel@suse.cz, ltp@lists.linux.it
Cc: nramas@linux.microsoft.com, balajib@linux.microsoft.com,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH v2] IMA: Add test for kexec cmdline measurement
Date: Wed, 22 Jul 2020 14:32:01 -0400 [thread overview]
Message-ID: <1595442721.5211.7.camel@kernel.org> (raw)
In-Reply-To: <1595441389.5211.1.camel@linux.ibm.com>
On Wed, 2020-07-22 at 14:09 -0400, Mimi Zohar wrote:
> On Wed, 2020-07-22 at 12:40 -0400, Lachlan Sneff wrote:
> > IMA policy can be set to measure the command line passed in the kexec system call.
> > There needs to be a test to validate this kexec command line measurement.
> >
> > Add a testcase that verifies that the IMA subsystem has correctly
> > measured the cmdline specified during a kexec.
> >
> > Note that this test does not actually reboot.
> >
> > Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
>
> Other than the patch not applying cleanly and leading blanks,
>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Oops, the kexec load is using the '-s' option, similarly the unload
should use it too. Please change all the "kexec -u" occurences to
"kexec -su".
+ if ! kexec -sl $IMAGE --reuse-cmdline; then
> + tst_res TCONF "kexec failed: $?"
> +
> + local sb_status="$(bootctl status 2>/dev/null | grep 'Secure Boot' \
> + | tr -d ' ' | sed 's/SecureBoot:*//')"
> +
> + if [ "$sb_status" = "enabled" ]; then
> + tst_res TINFO "secure boot is enabled, the specified kernel image may not be signed"
> + fi
> +
> + return
> + fi
> +
> + kexec -u
> +
> + if ! measure "$cmdline"; then
> + tst_res TFAIL "unable to find a correct entry in the IMA log"
> +
> + if [ ! -r $IMA_POLICY ]; then
> + tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required) to give contextual information"
> + fi
> +
> + if ! grep "measure func=KEXEC_CMDLINE" $IMA_POLICY >/dev/null; then
> + tst_brk TCONF "The IMA policy does not specify 'measure func=KEXEC_CMDLINE', see IMA test README"
> + fi
> +
> + return
> + fi
> +
> + cmdline="foo"cmldine
> + if ! kexec -sl $IMAGE --append=$cmdline; then
> + tst_brk TCONF "kexec failed: $?"
> + fi
> +
> + kexec -u
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@kernel.org>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH v2] IMA: Add test for kexec cmdline measurement
Date: Wed, 22 Jul 2020 14:32:01 -0400 [thread overview]
Message-ID: <1595442721.5211.7.camel@kernel.org> (raw)
In-Reply-To: <1595441389.5211.1.camel@linux.ibm.com>
On Wed, 2020-07-22 at 14:09 -0400, Mimi Zohar wrote:
> On Wed, 2020-07-22 at 12:40 -0400, Lachlan Sneff wrote:
> > IMA policy can be set to measure the command line passed in the kexec system call.
> > There needs to be a test to validate this kexec command line measurement.
> >
> > Add a testcase that verifies that the IMA subsystem has correctly
> > measured the cmdline specified during a kexec.
> >
> > Note that this test does not actually reboot.
> >
> > Signed-off-by: Lachlan Sneff <t-josne@linux.microsoft.com>
>
> Other than the patch not applying cleanly and leading blanks,?
>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Oops, the kexec load is using the '-s' option, similarly the unload
should use it too. ?Please change all the "kexec -u" occurences to
"kexec -su".
+ if ! kexec -sl $IMAGE --reuse-cmdline; then
> + tst_res TCONF "kexec failed: $?"
> +
> + local sb_status="$(bootctl status 2>/dev/null | grep 'Secure Boot' \
> + | tr -d ' ' | sed 's/SecureBoot:*//')"
> +
> + if [ "$sb_status" = "enabled" ]; then
> + tst_res TINFO "secure boot is enabled, the specified kernel image may not be signed"
> + fi
> +
> + return
> + fi
> +
> + kexec -u
> +
> + if ! measure "$cmdline"; then
> + tst_res TFAIL "unable to find a correct entry in the IMA log"
> +
> + if [ ! -r $IMA_POLICY ]; then
> + tst_brk TCONF "cannot read IMA policy (CONFIG_IMA_READ_POLICY=y required) to give contextual information"
> + fi
> +
> + if ! grep "measure func=KEXEC_CMDLINE" $IMA_POLICY >/dev/null; then
> + tst_brk TCONF "The IMA policy does not specify 'measure func=KEXEC_CMDLINE', see IMA test README"
> + fi
> +
> + return
> + fi
> +
> + cmdline="foo"cmldine
> + if ! kexec -sl $IMAGE --append=$cmdline; then
> + tst_brk TCONF "kexec failed: $?"
> + fi
> +
> + kexec -u
next prev parent reply other threads:[~2020-07-22 18:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-22 16:40 [PATCH v2] IMA: Add test for kexec cmdline measurement Lachlan Sneff
2020-07-22 16:40 ` [LTP] " Lachlan Sneff
2020-07-22 18:09 ` Mimi Zohar
2020-07-22 18:09 ` [LTP] " Mimi Zohar
2020-07-22 18:32 ` Mimi Zohar [this message]
2020-07-22 18:32 ` Mimi Zohar
2020-07-22 18:34 ` Lachlan Sneff
2020-07-22 18:34 ` [LTP] " Lachlan Sneff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1595442721.5211.7.camel@kernel.org \
--to=zohar@kernel.org \
--cc=balajib@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=nramas@linux.microsoft.com \
--cc=pvorel@suse.cz \
--cc=t-josne@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.